Flask 2.3.x causes error 'flask.json' has no attribute 'JSONEncoder' at startup

[chrisinmtown]

Description

My tox tests on a project that use connexion started failing with the very recent release of Flask version 2.3.x released 25 Apr 2023. Now the REST server fails when tests try to run with this message:

our_module/__init__.py:9: in <module>
    import connexion
.tox/code/lib/python3.9/site-packages/connexion/__init__.py:32: in <module>
    from .apps.flask_app import FlaskApp
.tox/code/lib/python3.9/site-packages/connexion/apps/flask_app.py:151: in <module>
    class FlaskJSONEncoder(json.JSONEncoder):
E   AttributeError: module 'flask.json' has no attribute 'JSONEncoder'

I initially asked the Flask people about this, and they instantly redirected me to connexion, see pallets/flask#5094

Expected behaviour

Connexion server passes tests when package is installed by tox.

Actual behaviour

Connexion server fails to start during tox testing.

Steps to reproduce

Upgrade to Flask 2.3.0 or 2.3.1 and run tox tests.

Additional info:

Output of the commands:

• python --version: python 3.9
• pip show connexion | grep "^Version\:" connexion 2.14.2

[davidism]

Already reported in #1576 and fixed in #1582

[chrisinmtown]

Thanks for the really fast reply. I see the old issue about upgrading connexion to Flask 2.3. To the best of my knowledge I'm using the latest and greatest general-release connexion, version 2.14.2. Please tell me which connexion version has fix #1582? I'm a little reluctant to jump on the 3.0 alpha release train.

[davidism]

Looks like it will be in the next stable release. Until then, and regardless, you should always use a tool like pip-tools to pin your application's entire dependency tree and avoid unexpected updates.

[chrisinmtown]

Yep here's the complaint from pip-compile (from pip-tools):

There are incompatible versions in the resolved dependencies:
  Werkzeug>=2.3.0 (from Flask==2.3.1->our_package (setup.py))
  werkzeug<2.3,>=1.0 (from connexion[swagger-ui]==2.14.2->our_package (setup.py))

[davidism]

Connexion, as a library, should not have an upper bound on dependencies, that's a big problem: https://iscinumpy.dev/post/bound-version-constraints/

[RobbeSneyders]

Connexion 2.X is not compatible with Flask 2.3+. This is indicated by the upper bound in the requirements.

Connexion 3.X is compatible with Flask 2.2+ only and is now in alpha.

The reasoning is explained in #1582

Partially fixes #1576 by updating the jsonifier and related code to be compatible with Flask 2.3.
Since this new json interface in Flask was only introduced in Flask 2.2, we'll have to pin it as the lower bound version.

I'm doubting if we should backport this to v2. It introduces some breaking changes for users who use custom json encoders, and it would force us to bump the lower bound version of Flask to 2.2 there as well.

If we don't do a backport, we should pin the upper bound Flask version on v2 to 2.2 instead.

[davidism]

Got it, thanks for clarifying. I should have been more nuanced when I said that, sounds like connexion is doing things right.

[chrisinmtown]

Thank you all for responding so quickly. Just to convince myself, I downloaded the connexion tar archive from PyPI and verified that file connexion.egg-info/requires.txt has flask<2.3,>=1.0.4. I guess this now becomes a challenge to me to figure out why invoking tox leads to a sequence of install commands that fetch the latest and greatest version of Flask during my Docker image build, and do not honor the version of Flask pinned by connexion. The offending line shown in tox -vv output is:

code: 6093 W install_package_deps> python -I -m pip install Flask certifi 'connexion[swagger-ui]' gevent importlib-resources python-dateutil requests 'six>=1.10' 'urllib3>=1.15' [tox/tox_env/api.py:428]

Those dependencies are straight from my package's setup.py file. My workaround is to change that file, to pin Flask to 2.2.4.

Even tho I see clearly that connexion pins the Flask version, the takeaway for me here remains that the recent release of Flask 2.3.0 definitely messed things up for this connexion user. Was the combination of unpinned dependencies working until yesterday purely by accident, because the latest & greatest connexion was compatible with the latest & greatest Flask until Apr 24? I'm not at all convinced that my workaround is the right one. Thanks for any thoughts you might have here.